Posted
by
Soulskill
on Saturday December 10, 2011 @12:25PM
from the time-to-argue-again dept.

Sparrowvsrevolution writes "Researchers at the security firm Accuvant released a study Friday that gauges the security features of the top three web browsers. Accuvant admits the study was funded by Google, and naturally, Chrome came out on top. More surprising is that Internet Explorer was rated nearly as secure as Chrome, while Firefox is described as lacking many modern security safeguards. Though the study seems to have been performed objectively, it won't help Google's fraying partnership with Mozilla."
The full research document is available here (PDF), and it goes into much greater detail than the Forbes article. Accuvant also published the tools and data they used in the study, which should help to evaluate their objectivity.

Software products are products of corporate cultures. That's not just how people in a corporation tend to think, it's what they tend to value. There is no doubt that Microsoft is capable of producing a secure browser when faced with public criticism and strong competition. The question is whether they will continue to do so if public attention flags or the competition declines, or whether security will be sacrificed to some other business goal.

Of course you can ask that of *any* browser produced by *any* organization, but the point is that it is a bad idea to accord any one browser product a privileged position. Developers should develop to standards then test against multiple products, and users should not be shy about changing browsers. The problem is that IE inherently has a privileged position, and Microsoft has a history of using interlocking, non-proprietary product stacks to drive sales across product categories. That means Microsoft has unusual temptations when it comes to security, because of IE.

The study itself appears to be bunk. They assume that the browser is going to be exploited which doesn't give any credit to how difficult that might be. It is valid to look at that, but it's incredibly misleading for them to suggest that all browsers are equally likely to be broken. Ultimately, by the time those technologies come into play you're more or less screwed. They can somewhat limit the damage, but if somebody's broken into the browser they probably know where one of the exploits is to get out of the browser.

It also doesn't take into account common security extensions that people are likely to have or the types of people that use the browsers. Ultimately, it doesn't matter how secure your browser is if you just go around clicking random links and downloading questionable software.

Yes. But 99% of people are going to keep their Flash and PDF readers. But if you download PDFs and read them locally later, you can still be exploited if you use vulnerable reader. All of them have had exploits too, but Adobe's is the most targeted one.

And yes, these exploits work for Linux too, if someone just remakes their payload to target them. In many cases you don't even need root access to most malware, so Linux security doesn't really offer much. However, in that case it actually needs the malware author to create separate payload for Linux.

This basically the core of Firefox's issues. Up until version 3.6, Firefox was a respectable browser and it was enough to Microsoft to improve from IE6. But ever since version 4.0 and the rapid release "versions" that inflate the number Firefox has been crippled by breaking extensions, disruptive UI changes and over idiocy by the Chrome-aid drinking Firefox developers.

If Firefox is to be a good browser again, it needs to be forked away from Mozilla and taken over by good developers just like Xfree86 had to be forked into X.org.

Of all of the major browsers, Firefox has by far the most fucked up architecture. When you examine it, it's no wonder why Firefox suffers from so many performance problems, excessive memory usage, and various other problems.

The core parts of it are written in C++, which isn't a bad idea, by any means. However, they've decided to use a stuck-in-the-1990s variant of C++ that's extremely handicapped and limited. This might make it portable, but it also encourages the creation of obtuse, low-quality C++ code.

It's the crap they've layered on top of this core that really makes any good software developer ask, "What the fuck?" XPCOM is braindead. It's a pile of crap beyond belief. It makes MS COM a pleasure to work with, if you can even imagine that.

Then they implement the UI in a horrid mix of JavaScript and XML (they call it XUL). If you've done any serious UI development using real toolkits like Motif, MFC, wxWidgets, Swing, SWT, WinForms, and even Gtk+, you'll immediately see how stupid this JavaScript/XUL approach is. It's everything that's bad about JavaScript (and that's just about everything about it), combined with everything that's bad with XML, combined with everything that's bad about HTML and web development.

The use of JavaScript and XUL to build desktop applications is, to me, a sign of ignorance. When all you know is web development, you'll try to use the same techniques for application development, and it'll be a disaster. See Firefox.

It should be clear to any good software developer why Firefox has such poor performance, and why it uses so much memory. Its architecture is complete rubbish. It's as if every bad idea possible was chosen, from the use of a poor subset of C++ to the extensive use of JavaScript and XML where neither is appropriate for use.

It also becomes clear why it was relatively easy for Chrome to crush Firefox so easily. It's apparently developed by proper C++ developers, who are smart enough to know to not use web development techniques for desktop application development.

Yes, that's exactly what I didn't mean.
The test was a test of Firefox (and IE and Chrome), not a test of "Firefox with some add-ons installed". Chrome has optional third-party security plugins too, and they also weren't enabled for the test. NoScript isn't a part of Firefox, doesn't come bundled with the browser, and isn't developed by Mozilla. Why should it be included in the test?

No, it'd be like reviewing an SLR without an external flash bulb. Raw mode is built-in to the camera, NoScript is not built-in to Firefox. NoScript, like the external flash bulb, is an optional feature that the browser/camera is made to accept, but also made to work without. Most Firefox users don't use NoScript, even though almost every power user does. Likewise, most people who buy SLRs are overspoiled teens who will never leave the safety of "Auto" mode and probably don't even know that you can swap lens at all - but every serious photographer has a bag full of peripherals for each specific kind of photo they want to make.
I've never read a side-by-side comparison of, say, a Nikon and a Canon camera where the reviewer concludes that despite being all-around worse than model B, you should still buy model A because it fits more different kinds of peripherals. It's the same thing with web browsers.

He didn't blindly dismiss your evidence. He directly refuted it by pointing out there are in fact vulnerabilities for Chrome, contrary to your claim that there are zero, and that you have to compare vulnerabilities within the same timeframe, which is entirely logical or else you could cite vulnerabilities from years ago in comparison to browsers today.

As the other guy who replied to you have noted, you're comparing apples and oranges (or rather cherries and watermelons) here - you're picking a specific release of Chrome (a browser that updates version number several times month), a specific version of Firefox (a browser that updates version number several times per year), and a specific version of IE (a browser that updates version number once in two years). To make a meaningful comparison, you need to compare similar time periods, no matter how many versions were released in that period for the browser.

So, IE9 was released in March 2011 - let's look at the time period from that point until today. Looking at release history in Wikipedia, this means Chrome from 10.0.648 to 17.0.963, and at Firefox from 4.0 to 8.0 (note that IE9 also had numerous updates in that time frame, it just doesn't count them as releases).

Now I won't even bother counting, because even just looking at the earliest versions of both Chrome and Firefox as listed above both produce two pages worth of vulnerabilities, versus one pages for IE. It's obviously a very rough metric because this doesn't account for severity of those vulnerabilities, but it already goes to show that your original numbers (zero and two) are bullshit. I hope someone who's more patient than me will go through those lists and make a nice summary.

Also, specifically with respect to Chrome, a good half of vulnerabilities are ones from Flash. This is technically correct, because Chrome ships bundled with Flash. However, in practice, vast majority of browser users on the desktop have Flash installed in any browser that they're using; so, to get a meaningful security comparison for a typical desktop, you need to either subtract those Flash vulnerability numbers from Chrome, or add them to other browsers. This would make Chrome the most secure by far, and Firefox the least - exactly as TFA says.

It's also basic common sense. You're comparing two browsers who have sandboxed-process-per-tab with a browser that does everything in a single process with no security boundary. Of course the latter is going to be more vulnerable!